Does GDPR have anything to do with Marketing?

As a Head of Marketing I have been surprised by the number of times that the term GDPR, which stands for the General Data Protection Regulation, has popped up in my LinkedIn timeline. The initials are not ones that I remember being talked about when I did my marketing training, and they don’t seem connected with the current buzz words to do with Brexit, #GE2017 or any of the other hashtags that seem to fill my social media feeds. But, judging by the frequency that GDPR keeps popping up in my feeds, it seems pretty obvious that it is a term that I should pay attention to.

So what is GDPR and why as a marketing head should I be interested?

The GDPR is the new EU data protection legislation which will replace the UK Data Protection Act (DPA) on the 25th May 2018. It puts the onus on companies and public bodies to both protect the personal data of EU citizens which they hold and also ensure that this data has legally obtained. It demands that companies establish systems to ensure that the authorities and contacts are informed at the earliest opportunity if a data breach occurs.

OK, that sounds pretty innocuous so far, but don’t be taken in, the GDPR will have a huge influence on what you do as a marketeer from May next year. It will touch every company that holds information about EU citizens where ever the company is based. Don’t assume that because you are working for an SME or a US company that is working out of the Channel Islands, that it doesn’t apply. GDPR will come into force for ANY company that holds data on EU citizens. It would also be a mistake to assume that Brexit will give you an excuse to ignore it, before the election it was planned to bring the GDPR into British legislation and the assumption is that any post-election government will want to enact it in to British law.

Marketeers need to be preparing now, so that they don’t cause their companies to fall foul of the legislation. The Information Commissioner’s Office (ICO), who will monitor the GDPR and act as the enforcing authority, said at the end of May 2017 that:

“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance”

The GDPR demands, amongst other things, that the personal data that you hold on staff, supplies and customers is:

Secure

Fairly sourced

Accurate

Kept for no longer than is necessary

Only transferred to other countries with adequate protection

Processed lawfully

The ICO has produced a 12 step preparation document which should be your first port of call to make sure you have all the details. You can get hold of it here.

In short the GDPR will touch:

The way that you source customer and prospect data

How you process this data

How you store it and pass it to third parties, such as your marketing agency

It should touch the whole of your organisation, but I believe that the Marketing team is a weak link in the GDPR chain. The consequences of the Marketing department causing your company to breach the regulations will be exceedingly career limiting.

It is worth Marketing Directors understanding the regulations themselves and what the penalties for companies that breach them really are so that Marketing doesn’t become the cause of a GDPR fine and censure.

The ICO talked about the need to manage data correctly and the penalties for non-compliance. The data management requirements can be found here. However, If a data breach happens or customer complains about their personal data being miss-collected or miss-handled, the fines are enormous. Companies in breach of the GDPR can become liable for a fine of either €20,000,000 or 4% of global turnover whatever is the HIGHERfigure.

There appear to be no exceptions for SME’s so if the Marketing team drops the ball you are going to have a very difficult conversation with your CEO. There is a lower level of sanction, but since this is a fine of €10,000,000 or 2% of global turnover for minor breaches, I am not sure if this is going to make your conversation with your boss any less painful.

The GDPR is very detailed, however the regulations will touch the Marketing team in two ways:

How your team handles consumer data

How your team collects consumer data

Firstly, a definition: What is consumer data?

We might have multiple definitions about what is consumer data, however the GDPR sees this as any kind of data that can be used to identify a particular individual. This can be the traditional information that we would easily recognise like, email, phone number, address and so forth, but it also can include Twitter and Instagram handles, photographs, IP addresses and the information gathered through cookies and tracking codes. Basically if the data could be used to identify someone, its personal data.

How does your team handle consumer data?

One of the key parts of GDPR is the prevention of data breaches. It has been designed to ensure that companies protect the data they have. It will also ensure that companies do not hide the fact that they have suffered a data breach. Following the introduction of GDPR it will no longer be possible to hide a data breach as Sony did in 2011. or Dropbox did in 2012.

Ok, your company isn’t Sony or Dropbox with their huge amounts of stored data (unless of course it is and apologies for bringing the subjects up), but how much data do you have sitting in your office that could go missing and be the cause of a breach.

Think about it for a moment, where is your data?

Is it sitting unencrypted on your laptop, which isn't password protected?

Have you sent it in an email to your marketing agency?

Has your marketing executive downloaded on to an iPad so they can use it while traveling?

Does the memory stick on your keyring have that database you were working on loaded on to it?

Or has the MD asked you to upload a database to a cloud based storage service so that they can access it while ‘working’ from their yacht?

The list goes on and I imagine that you have thought of a number of places that I haven’t even mentioned.

All of these could be the cause of a loss of consumer data and ultimately of that long walk to the CEO’s office for a ‘tricky chat’.

The data protection issue is a compliance fix. If you handle each file and database like it is worth €20,000,000 then you will find the problem is much easier to deal with. Marketing leaders need to audit what personal data their teams have and then take the necessary measures to ensure that it is securely stored and properly protected. Then, leaders need to make sure that their staff protect personal data correctly. This goes from the top to the bottom of the team, the leader needs to set the example and your lowliest marketing assistant needs to make sure they have the right training and support to follow the rules. Making sure that procedures are followed is a pain, but it is a relatively easy fix when you compare it with considering how your contact data is collected.

It is in the collection of contact data for marketing purposes that the GDPR will really bite.

In the first instance, you must ensure that your contacts have given you permission to use their details. In order to allow them to make an informed choice, you must explain to them why you are collecting data, how long you are likely to use it for and how they can have their name removed from the list at a later date. From May next year, it will not be enough to suppose that the user of your website has given you permission to take their details simply because they have left a pre-ticked permission box ticked. The permission to use consumer data has to be given explicitly. You can no longer assume permission and the failure to do so could be very expensive if a contact complains.

The need to gain explicit permission to use contact details may particularly influence cookie permissions. Website users will have to make some kind of ‘affirmative action’ to show you that they accept cookies and your website must provide a way for them to remove that permission at a later date.

After May next year, it will no longer be permissible to deny users access to your site unless they accept your cookies, as happened to me on a site last week. It appears that the way forward will be the “soft opt-in” route as is the easiest way to ensure compliance.

The second key area that the GDPR will touch is the use of emails. The DMA advises that post the introduction of GDPR email marketing will still be possible, but the collection of peoples’ contact data will become more difficult.

Marketeers cannot assume that because a customer has given you their email when they make an enquiry about your product that these details can be used marketing purposes. In the event of a complaint, marketing teams will need to be able to prove that they have received permission from the contact to use their details.

This will influence how you collect data to build your prospect databases. It will no longer be possible for sales team to simply scan the badge of every person that passes your stand at an exhibition or run a ‘prize draw’ as a business card magnet.

In order to be able to use this data, you will need to advise the contacts that you want to use the data for marketing purposes and ensure that they have agreed that you can use the data for that use. If you don't have their permission, you won’t be able to use the data after the show.

When an exhibition organiser offers you a database as a ‘sweetener’ to have a stand, you will only be able to use that data, if the exhibition organiser can prove that the contacts have given their permission for their data to be used and also for their data to be passed on to you. Without that permission it will illegal to use the data.

You will absolutely not be able to use any data that a salesperson brings with them from their last job and the farming of LinkedIn to collect email details will, probably, no longer be possible.

The GDPR will also have an influence on the details that you purchase from list brokers. Unless the broker can clearly show that each contact that they are selling has given permission for their data to be sold on for marketing purposes, the data will be useless. To use any third-party data you must be able to prove that the contact has agreed that their details can be used for marketing purposes.

For databases created after May 2018 the need to show that you have correctly collated the data and it has the right permissions is clear but, what do you do about your existing databases? Can you show that these current contacts have given you express permission to use their details? I know that many companies have contact databases that have been made up of a hotchpotch of customer details, web contacts, bought lists, ‘inherited’ lists and many other sources.

Before you can use your pre-GDPR day data for marketing purposes, you will need to ask yourself two key questions:

Have these legacy contacts given you informed permission to use their details

If asked, can you prove that you have received permission to use their details

If you cannot answer these questions in the affirmative, then you probably cannot use the data without risking a ‘tricky’ discussion with the CEO at some point.

All is not lost, there is still 12 months for you and your team to prepare for GDPR. The issue is a whole company issue not just a marketing issue. You never know, you may even get brownie points for having thought about the issue before the Data Management team speak to you, but do not be in any doubt that the GDPR will have to force a change of behaviours in the marketing team. The consequence of getting it right will be strong marketing targeted at the right people. The consequences of getting it wrong, could be very interesting and ones which you would probably rather avoid.

This guest post was brought to you by Dr Richard McKenzie, Head of Marketing for 3T RPD, which is one of Europe's leading production 3D printers.